Tuesday, August 31, 2004

I just read this whitepaper about new security features in RedHat Enterprise Linux Update 3. I use this distro extensively at work, and it's pretty good. I'm happy to see that NX support, ExecShield and other technologies they've already added to Fedora will finally be coming to RHEL.

There's a section at the end of the paper that claims these additional security measures would have stopped 75% of all the security issues for which patches were released from November 2003 to August 2004. That's a pretty impressive number. Of course, you still need to apply the vendor security patches in a timely fashion, but this looks to be a very handy safety net.

Well known Russian anti-virus vendor Kaspersky Labs is feeding the FUD machine. Its head, Yevgeny Kaspersky, is quoted in this article about the coming cyber-jihad. Apparently, tomorrow (Thursday, August 26) there will be a "large scale virus attack" that "might be delivered by Islamic terrorists".

I don't know about you, but I go through every day thinking, "There might be a large-scale virus attack today." And a lot of the time, I'm right. Either I've somehow got a psychic connection with Islamic terrorists, or this isn't news because it happens all the time. You choose. Kaspersky, you are better than this.

Update 08/26/04: Although this story was widely reported, Kaspersky Labs says it was just a misunderstanding of what Mr. Kaspersky was actually saying. See this story for more details.

Friday, August 20, 2004

F-Secure'sAntiVirus Research Weblog has a good article explaining one of the less publicized features of SP2. Now, whenever you download a file through IE, it creates an Alternate Data Stream (ADS) attached to that file that specifies which network zone the file came from. The idea here is that if you download an executable file from an untrusted zone (ie, the Internet) and save it on your hard drive, the system won't later let you run it unless you first submit to a popup dialog acknowledging that you know it might be dangerous.

This feature only works on NTFS filesystems, so floppy disks and USB dongles are still vulnerable, but it seems like a good idea overall. Unfortunately, as this advisory points out, there are ways to get around this restriction.

Thursday, August 19, 2004

Ok, this is a little weird. Apparently, a National Science Foundation research station at the South Pole was hacked earlier this year. Although the NSF disputes the claim, US Attorney General John Ashcroft and the FBI have at various times claimed that the attack placed the lives of the scientists there at risk, because the life support system was compromised. That may or may not be true, but it's certainly a convenient excuse for them to tout the USA PATRIOT Act and how they say it saved 58 lives.

If you're not familiar with them, you should be. They scan a system for common configuration errors and provide you with plenty of good feedback about what you can do to improve your security posture. Perhaps more importantly, they also calculate a numeric "score" you can use to as an executive educational tool.

Versions of the scanner are available for various Unix and Windows systems as well as Cisco's IOS and the Oracle database.

Tuesday, August 17, 2004

Here's another story that's been widely reported. Apparently the SHA-0 cryptographic hash function has been broken. In this sense, "broken" means that somone found a way to take a message and it's associated hash, then create a different message that has the same hash. This could be a Very Bad Thing, since these sorts of functions are used as the basis for a lot of encryption and digital signature protocols. Check out the /. version of this story here.

Friday, August 13, 2004

Ok, this one is actually a little scary. You know about the Emergency Alert System that allows the government to
interrupt radio and TV broadcasts to put out... well... Emergency Alerts. According to an article over at SecurityFocus.com, this thing has more holes than Swiss cheese, and is vulnerable not only to Denial of Service, but to spoof attacks which might allow someone to inject false messages that are sent out without any sort of human review whatsoever. I can only speculate about what sort of havoc this could cause in the wrong hands and under the wrong circumstances.

Monday, August 09, 2004

Metasploit is a great tool, and version 2.2 promises several soon-to-be indispensable features, including DLL injection payloads, VNC support, and support & documentation for creating your own custom exploit modules.

Friday, August 06, 2004

Tor is an anonymizing layer on top of TCP. It uses a concept called "onion routing" to keep your online activities anonymous. Basically, packets are routed at random through a network of Tor servers (provided by the Tor user community), making it very difficult to trace their real origin. The contents are encrypted separately for each server, so only the final Tor server will be able to read your payload data, just before it is sent to it's final destination, but by that time the IP information tying that packet to you will be lost.

Thursday, August 05, 2004

I don't think much of hacking challenges in general.
They can prove a system is vulnerable, but they cannot
prove that it is not. In other words, if you're successful, there's obviously a problem, but if you're unsuccessful, maybe you just didn't hit on the magic combination.

That being said, here's a hacking challenge that might be worth looking into. Rebecca Mercuri's challenge to e-voting machine vendors to open themselves up to scrutiny by the security community is on the money, even without the $10,000 prize.

Wednesday, August 04, 2004

I'm more than a little suspicious of this AP article. It seems that Singapore is holding a national hacking contest to "help shed light on ways to prevent actual computer attacks". They could do this more cheaply and effectively by visiting their local bookstore and picking up a copy of Hacking Exposed or something. It's just a feeling I have, but their stated reason doesn't seem on the level.

Monday, August 02, 2004

SecurityFocus has published a nice article detailing the basics of HTTP tunneling. Tunneling is a technique that encapsulates network traffic inside other network traffic. In this case, you can encapsulate your attack traffic inside HTTP traffic, which is most likely allowed through your target's perimeter defenses.